Five Steps to Implementing a Third-Party Risk Management Program

And a checklist of questions to get you started.

No matter what industry your organization is in, chances are you’re working with third parties—whether for strategy consulting, IT, financial purposes, you name it.

Today, we often look to third parties to tackle a task that might take us longer to do, cost more money, or require more people to complete. For example, your organization might hire a cybersecurity firm to monitor for threats and hackers because it would take significantly more effort to build your own security program.

But by working with third parties, there’s a certain level of risk that comes with the relationship. Going back to that cybersecurity company, your organization might’ve shared passwords with them, so they can properly watch over your systems and servers. However, if your passwords end up in the wrong hands, your organization’s most sensitive information could be compromised.

This type of risk is called third-party risk, and to manage it, you’ll need a third-party risk management (TPRM) program.

We recently spoke with Asureti Principal and Founder, Melissa Ryan, and Senior Manager, Technology and Security Risk Services, Andrew Howard, about TPRM, and how Asureti has leveraged technology to help manage its third-party risk. Asureti provides professional services to help clients simplify compliance, manage risk, and protect their data.

What is third-party risk management?

Third-party risk management is the concept of analyzing and minimizing risk associated with outsourced vendors or service providers.

“If you’re wondering whether or not you work with a third party, think about the embedded tools you use often, such as Google Analytics, Meta, or a similar website tracking software,” said Andrew. “In this example, you’re giving Google Analytics access to your company’s website through a piece of tracking code. It becomes crucial to understand how that code is generated and what Google’s cybersecurity program looks like, so you can arm your organization with the right tools in case of a cyber breach.”

Not handling these risks appropriately can have a big effect on your company—affecting your organization’s reputation, harming your client’s personal data, preventing supply chain operations, etc.

Instead, organizations must identify their third parties and understand exactly how they fit inside their ecosystem. The two most important questions to answer are: Who are our vendors and what information is being shared? We’ve prepared an additional checklist of questions at the end of this article to help get you started in your TPRM program.

If it’s necessary to share sensitive data with your third parties, remember to properly train them on the use of the information. To learn how Asureti is implementing best practices for managing their third-party relationships, watch the full webinar recording.

Steps to building your TPRM program

1 – Identify

To start, identify the vendors, partners, and tools your organization uses regularly, including any outside consulting company you might work with to outsource tasks and processes.

2 – Assess

Next, you’ll begin your risk assessment for each third party, which consists of understanding how your organization works with that party, what information they have, and how many people have access to that information. After the assessment, each third party will be graded based on the level of risk they pose.

It’s important to complete these assessments on a regular basis (typically once a year) to keep track of changes on the side of the third party and how they might affect your risk program. For more information on how to use risk assessments for your third-party relationships, check out this guide.

3 – Classify and Prioritize

Upon completing vendor assessments and grading each party, you’ll then want to rank them based on their level of risk.

“You don’t want to spend precious time developing risk management plans for vendors that are lower risk, don’t have access to sensitive data, or don’t produce high exposure from a financial or reputational perspective,” said Melissa. “By assigning numeric scores and visual indicators, we’re able to determine where to focus our time and how to be efficient on the priority risk areas.”

4 – Define

Define teams for each third-party relationship and their roles, along with an account lead who’s in charge of managing the relationship and the TPRM program.

“It becomes a problem when organizations don’t properly define the team and risk management processes,” said Melissa. “Each department might take on the roles that they’re experts in and assume the other tasks are being worked on by the appropriate team. A cross-functional team ensures that all tasks are completed and meet proper industry standards.”

5 – Leverage Technology

Finally, technology is your friend in managing your third-party risk, so you can focus on building relationships and keep business moving. The right tool will automate the assessment process moving forward, maintain third-party prioritization, and notify your team of any changes with your third parties to prevent risks from harming your organization.


360-degree Risk Dashboard

See what real-time visibility looks like when you centralize your entire third-party ecosystem by risk rating, criticality, relationship, assessment status, and findings severity.

Leveraging technology for TPRM

Leveraging technology helps identify and assess your third parties, not to mention monitor them for changes in risk levels. By using automation tools, your organization no longer has to spend precious time filtering through and prioritizing third parties based on arbitrary measurements. And Onspring’s Third-Party Risk Management solution can help you do just that.

“We use Onspring as our centralized platform to manage third-party relationships, and since it acts as our single source of truth, both our organization and our third parties are always on the same page and understand the risks at play,” said Melissa. “Everyone can come to one place to see the risks, status, information, etc., and we benefit, too, because it holds people accountable.”

By utilizing a GRC automation platform such as Onspring, organizations are able to automate the notification process for monitoring dates and triggers for certain TPRM cycles. Onspring specifically has dashboards built for each of these processes, along with ones that organize tasks and upcoming deadlines for their risk management team.

For Asureti, instead of spending time keeping track of tasks and manually sending out targeted reminders for each task, Onspring does that for them. Below are some additional benefits Asureti has realized since implementing Onspring:

  • Eliminate your reliance on spreadsheets and emails

  • Automate issuing and follow-up of third-party risk assessments

  • Assign and track mitigations and remediations

  • Collaborate on a single source of truth with a centralized repository of vendors, assessments, risks, and mitigations

  • Integrate with existing procurement, contracting, and accounts payable processes

  • Leverage market content providers for key risk information

Melissa Ryan with Asureti

“One of the huge wins we’ve been able to leverage from a technology and GRC perspective is automating some of those pieces. These dashboards are super helpful, not only for me and my team, but my business owners, too. So, everyone’s looking at the same information, working off the current status, knowing what’s in their queue. And management can come in and understand status workloads, work queues, and key issues.”

— Melissa Ryan, Asureti

Checklist of questions

When you’re evaluating your third party and vendor relationships, here’s a checklist of questions to answer before fully engaging with the third party. Asureti advises customers to ask these questions before even signing the contract to work with the third party and encourages them to check back on a yearly basis to confirm the external partner has continued to meet proper expectations.

  • What is the purpose of working with the third party? What is our ‘why’?
  • How are we classifying our third-party relationships? Which ones should we prioritize over others, and why?
  • What data or information do we need to share? How will it be shared? And who will have access to it?
  • Do we need to train the third party in how to handle the data or information?
  • If there’s a breach on the third-party’s side, what are they responsible for? And how does that affect us?
Roles & Responsibilities
  • What are our responsibilities and those of the third party?
  • Who owns third-party risk at our organization? Who needs to be involved?
  • Who will be in charge of this vendor relationship?
  • Is there any training that needs to take place, on our side or theirs, to work with them?
  • Who are our key contacts from the third-party?
  • What technology do they use?
  • Is there any technology we need to learn to use in order to work with the third party?
  • What regulation requirements do they need? Is the third party compliant? Do they have the proper certifications? What are they?
  • What policies, if any, do they have in place?
  • What process do we have in place for monitoring our third-party relationships?
  • What do we need to report on? And how will we do that?
  • Who needs to receive the reports and how frequently?

If you’d like to learn more about how Onspring’s Third-Party Risk Management solution can help your organization, reach out to us at


On-Demand Webinar

Get inspired to reignite your commitment for making risk-based decisions when selecting third-party solutions & services.

Actionable insights we think you’ll like